formatting, add aa-unconfined
WIP wording, formatting, cleanup
|Deletions are marked like this.||Additions are marked like this.|
|Line 35:||Line 35:|
|Line 49:||Line 50:|
|List of processes with tcp or udp ports that do not have AppArmor profiles loaded||List of processes with tcp or udp ports that do not have AppArmor profiles loaded:|
|Line 53:||Line 54:|
|Line 57:||Line 59:|
|Find more profiles:||!AppArmor profiles live in `/etc/apparmor.d/`. Some packages automatically install their own profiles in this directory. To install more profiles:|
|Line 59:||Line 61:|
| * in the DebianPkg:apparmor-profiles-extra package (available in Jessie and newer);
* in the DebianPkg:apparmor-profiles package;
* in [[https://email@example.com|the patches, with new profiles included]], that were submitted to Debian;
* in Ubuntu.
| * [[DebianPkg:apparmor-profiles-extra]] provides and enables Debian-specific (not upstreamed) profiles.
* [[DebianPkg:apparmor-profiles]] provides various experimental profiles, and enables some by default.
* Check the equivalent [[https://packages.ubuntu.com/search?keywords=apparmor-profiles|Ubuntu packages]]
* Check newly [[https://firstname.lastname@example.org|submitted pacthes/profiles]] for !AppArmor in Debian
|Line 64:||Line 66:|
|!AppArmor profiles live in `/etc/apparmor.d/`. One can use [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] to insert them into the kernel. This is done automatically when installing packages that drop policy in `/etc/apparmor.d/`.|
|Line 105:||Line 106:|
== See also ==
* [[DebianMan:8/apparmor_parser|apparmor_parser(8)]] manpage
This page describes how to use AppArmor on Debian.
AppArmor is available in Debian since Debian 7 "Wheezy".
Install AppArmor userspace tools:
If you are using Debian 10 "Buster" or newer, AppArmor is enabled by default so you can skip this step.
Enable the AppArmor Linux Security Modules (LSM):
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=1 security=apparmor"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot
Inspect the current state
List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):
$ sudo aa-status
List running executables which are currently confined by an AppArmor profile:
$ ps auxZ | grep -v '^unconfined'
List of processes with tcp or udp ports that do not have AppArmor profiles loaded:
$ sudo aa-unconfined
Enable / install more profiles
AppArmor profiles live in /etc/apparmor.d/. Some packages automatically install their own profiles in this directory. To install more profiles:
apparmor-profiles-extra provides and enables Debian-specific (not upstreamed) profiles.
apparmor-profiles provides various experimental profiles, and enables some by default.
Check the equivalent Ubuntu packages
Check newly submitted pacthes/profiles for AppArmor in Debian
For example, to set all "extra" profiles (provided in the apparmor-profiles package) to complain mode (except deny rules that are silently enforced, security policy is not enforced and access violations are logged), do the following:
cd /usr/share/doc/apparmor-profiles/extras cp -i *.* /etc/apparmor.d/ for f in *.* ; do aa-complain /etc/apparmor.d/$f; done
To set these profiles to enforce mode, use aa-enforce instead of aa-complain. Beware though: many of these profiles are not up-to-date and will break functionality in enforce mode (and possibly even in complain mode); only enforce them if you're ready to improve them upstream.
AppArmor audit logs can be found in the systemd Journal or in /var/log/syslog.
For more detailed instructions, please read the dedicated documentation for debugging AppArmor.
Report a bug
If you think that you've found a bug in AppArmor or a software in Debian which ships its own profile, you might want to report a bug.
First, you can disable individual profiles with aa-disable.
But if you want to entirely disable AppArmor on your system, run:
$ sudo mkdir -p /etc/default/grub.d $ echo 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0"' \ | sudo tee /etc/default/grub.d/apparmor.cfg $ sudo update-grub $ sudo reboot